Russian Cyber Activity Targeting Critical Infrastructure Sectors

US-CERT (the United States Computer Emergency Readiness Team) has recently issued a joint technical alert which is a result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). (Read this Alert) Details are below.

Alert Synopsys
This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks. DHS and FBI produced this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity.

DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).

Since March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.

Analysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity. Of note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign. [1]

This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.”

What Can You Do?DHS and the FBI are recommending that network administrators review their IP addresses, domain names, file hashes and network signatures. They should also consolidate a set of YARA rules for malware associated with the intrusion authored by the National Cybersecurity and Communications Integration Center. YARA is a multiplatform tool that is open source and provides a mechanism to exploit code similarities between malware samples within a malware family.

Network Administrators should also add listed IPs to watch lists to determine whether malicious activity has occurred within their company or organization. Owners of the system are advised to run the YARA tool on any system suspected to have been targeted by any threat actors. The DHS also specifically instructs anyone who identifies the use of tools or techniques it identified to report them to the DHS or law enforcement immediately at NCCICcustomerservice@hq.dhs.gov or 888-282-0870.